Credential Guard

Winsage
May 7, 2025
Microsoft has acknowledged that the April 2025 security updates are causing authentication challenges for certain Windows Server domain controllers, specifically affecting Windows Server versions 2016, 2019, 2022, and 2025. The issues arise after installing the April Windows monthly security update (KB5055523 or later), leading to complications in processing Kerberos logons or delegations that rely on certificate-based credentials. Affected authentication protocols include Kerberos PKINIT, S4U via RBKCD, and KCD. These issues are linked to security measures addressing the critical vulnerability CVE-2025-26647, which allows authenticated attackers to escalate privileges remotely. A temporary workaround involves modifying a registry value. Microsoft has previously addressed similar authentication issues in Windows 11, Windows Server 2025, and earlier versions.
Winsage
April 14, 2025
Microsoft has warned IT administrators about a potential issue with Windows Server 2025 domain controllers (DCs) becoming inaccessible after a restart, due to defaulting to the standard firewall profile instead of domain-specific settings. This mismanagement can lead to DCs being unreachable on the domain network or improperly accessible through restricted ports and protocols. A workaround involves manually restarting the network adapter on affected servers after each reboot, and Microsoft recommends setting up a scheduled task for this. The company is working on a permanent solution for a future update. Additionally, Microsoft has alerted users to another issue with Windows Hello logins related to the KB5055523 April 2025 security update and has implemented a fix for authentication issues with Credential Guard and the Kerberos PKINIT pre-auth security protocol.
Winsage
April 9, 2025
Microsoft has released the KB5055523 update for Windows 11, which includes various fixes and enhancements. Key improvements include a fix for the Explorer context menu issue, increased reliability of ctfmon.exe, and resolution of a Kerberos authentication problem related to RC4 encryption. New features for Copilot+ PC users include an improved Windows Search with semantic indexing, natural language search for cloud-stored photos, enhanced communication capabilities with live captions and real-time translation, and support for real-time translation into Simplified Chinese on Snapdragon-powered devices. The update also addresses issues with machine password rotation in the Identity Update Manager, updates for Daylight Saving Time in Chile, and unexpected behavior in the PcaUiArmUpdate feature. KB5055523 will be automatically installed for users.
Winsage
April 9, 2025
Microsoft resolved an authentication issue related to Credential Guard on systems using the Kerberos PKINIT pre-authentication protocol, affecting Windows 11, version 24H2, and Windows Server 2025. The problem involved improper password rotation when using the Identity Update Manager certificate, leading to user authentication issues primarily in enterprise environments. Devices failed to change passwords every 30 days, causing them to be perceived as stale, disabled, or deleted. The resolution was provided in April 2025 through Windows security updates, and Machine Accounts in Credential Guard were temporarily disabled. Microsoft advised users to install the latest updates for improvements and fixes. This is not the first authentication issue Microsoft has addressed; previous challenges occurred in November 2022 and November 2021, involving Kerberos sign-in failures and delegation scenarios.
Search